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(54) Controlled acceptance mail payment and evidencing system 



(57) A method for controlled acceptance mail pay- 
ment and evidencing includes creating a mail batch with 
a plurality of mailpieces (402) each having an encrypted 
indicia (408) printed thereon. A mail documentation file 
is created containing the total weight of the mail batch, 
the total payment for the mail batch and mailer identifi- 
cation, all of which are digitally signed to facilitate a sub- 
sequent verification of the integrity of the data. The dig- 



ital signature is included as part ol the mail documenta- 
tion file. The mail batch and mail documentation file are 
submitted to a carrier distribution system. The carrier 
processes the batch of mail (802) and the mail docu- 
mentation file as part of the carrier distribution process 
to determine the total weight of the batch of mail and 
verify the weight of the actual batch of mail in compari- 
son to the total weight of the batch of mail as set forth 
in the mail documentation file. 
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Description 

The present invention pertains to mail payment and 
evidencing methods and systems and, more particular- 
ly, to a mail payment and evidencing system which is £ 
adapted to be employed with a batch of mail prepared 
by a mailer and processed by a carrier as part of the 
mail distribution process. 

Various methods have been developed for payment 
of carrier services. These payment methods include 
postage stamps which are individually applied to each 
mailpiece and metered imprints which are also individ- 
ually applied to each mailpiece. Additionally, other sys- 
tems have been developed such as permit mail where 
a carrier issues a permit allowing certain types of mailing 
and manifest systems wherein mail is manifested and 
delivered to a carrier service along with the manifest. 

In a mail production environment, where large 
batches of mail are produced, each of the above pay- 
ment methods involves compromises between ease of 
use and security for the payment of postage to the car- 
rier service. Stamped mail requires costly printing of 
stamps by the carrier service, as well as costly control 
and revenue accounting for the stamps. Moreover, the 
utilization of stamps as a payment method provides little 
information to the carrier service related to the cost as- 
sociated with operating any particular facility or any par- 
ticular class of mail delivery service provided. Addition- 
ally, the utilization of stamps particularly in a large mail 
production environment, does not easily accommodate 
multiple rate mailings. Mechanical dispensing of stamps 
is slow and prone to malfunction. The labor and time 
involved in purchasing of stamps by the mailer is costly, 
and security is limited due to theft of stamps and reuse 
or "washing" of stamps. 

Traditional metered mail provides a significant level 
of security for the carrier service. However, in a high vol- 
ume production mail environment variable weight mail- 
ings may require multiple meters to achieve high 
throughput speeds and mechanical malfunctions may 
frequently occur for high volumes of mail printed by me- 
ters with mechanical printing mechanisms. 

Many of these problems have been alleviated with 
the advent of new electronic postage meters, particular- 
ly postage meters which are adapted to print with digital 
printing technologies. Enhanced security has been ob- 
tained with postage meters with digital printing through 
the use of encrypted indicias. The encrypted indicias 
employ a digital token which is encrypted data that au- 
thenticates the value and other information imprinted on 
the mailpiece. Examples of systems for generating and 
using digital tokens are described in U.S. Patent No. 
4,757,537 for SYSTEM FOR DETECTING UNAC- 
COUNTED FOR PRINTING IN A VALUE PRINTING 
SYSTEM; U.S. Patent No. 4,831 ,555 for UNSECURED 
POSTAGE APPLYING SYSTEM; and, U.S. Patent No. 
4,775,246 for SYSTEM FOR DETECTING UNAC- 
COUNTED FOR PRINTING IN A VALUE PRINTING 



SYSTEM. Because the digital token incorporates en- 
crypted data including postage value, altering of the 
printed postage revenue and the postage revenue block 
is detectable by a standard verification procedure. 
Moreover, systems have been proposed for postal pay- 
ment with verifiable integrity to detect attempts to inter- 
fere with the rating process for the postage amount to 
be imprinted as opposed to interference with the result- 
ing printed postage value. In this connection, reference 
is made to U.S. Patent Number 5,448,641 for POSTAL 
RATING SYSTEM WITH VERIFIABLE INTEGRITY, the 
disclosure of which is hereby incorporated by reference. 

Both permit mail and manifest mail systems, as well 
as related contract mail systems, usually have no evi- 
dence of postage payment on individual mailpieces and 
require complex and extensive acceptance procedures 
and associated documentation. These systems are very 
complex, time consuming and inaccurate for the carrier 
service in administering and accepting mail. Moreover, 
the funds security of the system is vulnerable since it is 
open to undetectable collusion. Once permit mail has 
been accepted into the carrier mail delivery system, it is 
extremely difficult to determine whether the mail has 
been paid for Furthermore, because of the various tech- 
niques used for payment adjustments, a significant loss 
of revenue or over payment by either the carrier or the 
mailer, as the case may be, is possible since payment 
is verified only by a sampling method. In addition, sys- 
tems of this type are very complex for the mailer, are 
error prone and require extensive documentation. Fur- 
ther, the risk of overpayment by the mailer or the require- 
ment to redo the documentation and mail due to adjust- 
ments exists in these systems. Additionally, the systems 
of this type involve time consuming costly acceptance 
procedures. Moreover, for certain of these permit pay- 
ment systems, preprinted envelopes must be main- 
tained in inventory. 

An improved manifest system has been proposed, 
for example, as set forth in U.S. Patent No. 4,907,161 
for BATCH MAILING SYSTEM, U.S. Patent No. 
4,837,701 for MAIL PROCESSING SYSTEM WITH 
MULTIPLE WORK STATIONS; U.S. Patent No. 
4,853,864 for MAILING SYSTEM HAVING POSTAL 
FUNDS MANAGEMENT; and, U.S. Patent No. 
4,780,828 for MAILING SYSTEM WITH RANDOM 
SAMPLING OF POSTAGE. 

It is an object of the present invention to provide an 
improved postage payment and evidencing system. 

It is a further object of the present invention to pro- 
vide an effective controlled acceptance process for such 
mail that includes improved flexibility for the mailer in 
creating mail and a high level of security for payment 
and evidencing of appropriate postage carrier service. 

It is yet a further objective of the present invention 
to employ an encrypted digital token system for batch 
mail along with verification procedures in the accept- 
ance of the mail to allow flexible preparation of mixed 
weight mail and security of carrier service payment 
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funds. 

A method for controlled acceptance mail payment 
and evidencing in accordance with the present invention 
includes creating a mail batch with a plurality of mail- 
pieces each having an encrypted indicia printed there- s 
on. A mail documentation file is created containing the 
total weight of the mail batch, the total payment for the 
mail batch and mailer identification, all of which are dig- 
itally signed to facilitate a subsequent verification of the 
integrity of the data. The digital signature is included as 
part of the mail documentation file. The mail batch and 
mail documentation file are submitted to a carrier distri- 
bution system. The carrier processes the batch of mail 
and the mail documentation file as part of the carrier dis- 
tribution process to determine the total weight of the 
batch of mail and verify the weight of the actual batch of 
mail in comparison to the total weight of the batch of mail 
as set forth in the mail documentation file. 

Reference is now made to the following Figures 
wherein like reference numerals designate similar ele- 
ments in the various views and in which: 

FIGURE 1 is a diagrammatic depiction of a batch 
mail generation system employing the present in- 
vention and utilizing an inserter system adapted to 
imprint postal indicia; 

FIGURE 2 is a diagrammatic depiction of an alter- 
nate embodiment of the system shown in FIGURE 
1 where the mailpiece indicia is preprinted prior to 
the insertion process; 

FIGURE 3 is a block diagram showing greater detail 
of the vault elements including the encryption en- 
gine for executing the digital token transformation 
to generate digital tokens imprinted on each mail- 
piece; 

FIGURE 4 is a mailpiece created in accordance with 
the present invention based on the system shown 
in FIGURE 1; 

FIGURE 5 is a mailpiece created in accordance with 
the present invention based on the system shown 
in FIGURE 2; 

FIGURE 6 is a flow chart of the mail preparation 
process in accordance with the present invention; 
FIGURE 7 is an example of a printed mail documen- 
tation file; 

FIGURE 8 is a depiction of a printed mail error re- 
covery file; 

FIGURE 9 is a flow chart of collecting error data for 
the mail error recovery file shown in FIGURE 8; 
FIGURE 10 is a carrier acceptance unit verification 
system embodying aspects of the present invention 
and suitable for use with the systems shown in the 
foregoing FIGURES; 

FIGURE 11 is a flow chart of the carrier service ac- 
ceptance process in accordance with the present 
invention; and, 

FIGURE 12 is a flow chart of the mailpiece verifica- 
tion process depicting aspects of the present inven- 



tion. 

Reference is now made to FIGURE 1. An inserter 
system 102 includes a computer controller 104 for the 
inserter. The controller 104 controls both a plurality of 
feeder modules shown generally at 106, an envelope 
insertion module 108 and a printer 110. The controller 
104 is further connected to a control document feeder 
module 112 and to a vault subsystem 114 by means of 
a bi-directional communication channel 116. The vault 
114 is operatively connected to a non-secure report 
printer 118 utilized to print mail documentation files and 
to a securely coupled printer 120 for imprinting encrypt- 
ed indicia on loose mail which is not part of a batch mail 
run. 

In operation, under control of the inserter controller 
104, control documents are fed from the control docu- 
ment feeder module 1 1 2 onto the inserter transport, (not 
shown). The control document determines the operation 
of the various feeder modules 106 to selectively feed 
inserts onto the transport to be assembled into a colla- 
tion and inserted into an envelope fed from the envelope 
feeder 108. An assembled mailpiece, not shown, when 
it reaches printer 110 has an address printed on the en- 
velope such as for non windowed mail. The assembled 
mailpiece now has to be imprinted with an indicia by the 
printer 110. The indicia is an encrypted indicia which in- 
cludes a digital token provided by the vault 114. Printer 
110 maybe a general purpose printer for suitable use 
with an insertion machine and may print other necessary 
and optional information such as delivery point postal 
bar code, advertising material, slogans, and the like. It 
should be expressly noted that many other organiza- 
tions for insertion systems can be utilized with the 
present invention, for example, the feeder modules 106 
can be directly controlled by the inserter controller 104 
or the insertion process can be controlled via magnetic 
media such as floppy disks through the controller 104 
as well as different printer arrangements. 

The vault 114 is in communication with one or more 
data centers. A data center 1 22 is shown. The data cent- 
er may be associated with providing the computer meter 
resetting system function for the vault 114. This is a func- 
tion where carrier service funds are refilled into the vault 
1 1 4 as carrier service payment evidencing is implement- 
ed through the printing of maiipieces thereby depleting 
stored carrier service funds in the vault. Moreover, the 
controller 104 or vault 114 may also be connected to a 
carrier service information center to provide logistics 
and payment information to the carrier service. 

The vault 114 also drives a printer 1 1 8 to print a mail 
documentation file associated with each batch mail run 
generated by the inserter system 102. The vault 114 
may be associated with a number of other inserter sys- 
tems which may be generating a portion of the batch 
mail run where job splitting is required. Printer 118 is 
desirably of a high quality printer capable of printing var- 
ious known types of bar code such as PDF 41 7 or Code 
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1, depending on the form of implementation of the sys- 
tem. 

References is now made to FIGURE 2. An inserter 
system 202 similar to that shown in 102 is provided; 
however, no printer is provided as part of the inserter 
system. A general purpose printer 204 is provided for 
printing the necessary control and other documents for 
assembly by the inserter system as well as for printing 
the mail documentation file. The printer is controlled by 
a computer 206 as for example a mini or main frame 
computer associated with creating various mailpieces. 
In this embodiment the encrypted indicia is printed by 
the printer 204 on the address bearing document. In 
such case, frequently, the address portion of the ad- 
dress bearing document is viewable through a window 
in the mailing envelope. The computer 206 is connected 
to a vault 208 by a bi-directional communication link 21 0. 
The various digital tokens associated with each mail- 
piece are provided by the vault 208 to the computer 206 
for printing by the printer 204. The vault 208, similar to 
the vault 114 in FIGURE 1, is connected through a com- 
munications link to a remote data center 21 0 which pro- 
vides the same functionality as previously noted. 

Reference is now made to FIGURE 3. A vault 302, 
which would be suitable for use as vault 114 shown in 
FIGURE 1 or vault 208 shown in FIGURE 2, includes a 
secure housing 304. Mounted within the secure housing 
is a microprocessor 306 operatively connected to an en- 
cryption engine 308 executing the encryption algorithm 
and holding secret keys necessary to generate the en- 
crypted indicia. A non-volatile memory 309 stores infor- 
mation related to generating the encrypted indicia and 
digital token including the non-resettable piece count, 
accounting data, configuration data, vault identification, - 
origin postal code, mail documentation file data and rat- 
ing table. Additionally connected to the microprocessor 
is a random access memory 310 containing mailpiece 
data and, if desired, a secure clock 312. The organiza- 
tion and operation of the vault 302 depends upon the 
particular system for encryption being implemented and 
various organizations of vaults and vault related data 
are suitable for use with the present invention. 

Reference is now made to FIGURE 4. A mailpiece 
402 of the type which may be produced on the inserter 
system is shown in FIGURE 1. The mailpiece contains 
addressee information shown generally at 404, a postal 
delivery point bar code 406 and an encrypted indicia 
shown generally at 408. The encrypted indicia including 
the digital token can be formatted in many ways depend- 
ing upon the requirements of the particular carrier serv- 
ice involved. Additionally, different information may be 
included or omitted from the encrypted indicia depend- 
ing upon the needs and requirement of the carrier serv- 
ice. The encrypted indicia 408 includes a vault identifi- 
cation number bar code 41 0 shown in alphanumeric rep- 
resentation as PB000001 at 41 2. The indicia 408 further 
includes an imprinted number 389 shown at 414. The 
first digit "3" is an error correcting digit and the next two 



digits "8' and "9" are vendor and carrier service digital 
tokens, respectively. One suitable system for verifica- 
tion using two encrypted tokens is disclosed in U.S. Pat- 
ent No. 5,390,251 for MAIL PROCESSING SYSTEM I N- 
5 CLUDING DATA CENTER VERIFICATION FOR MAIL- 
PIECES. These digital tokens enable the carrier service 
or the vendor to separately authenticate the validity of 
the encrypted indicia 408. Moreover, the digital tokens 
can be precomputed. Reference is made to published 
io European patent application number EP-A-0,686,946, 
filed May 12, 1995 for ADVANCED POSTAGE PAY- 
MENT SYSTEM EMPLOYING PRECOMPUTED DIG- 
ITAL TOKENS WITH ENHANCED SECURITY assigned 
to Pitney Bowes Inc., the disclosure of which is hereby 
incorporated by reference. 

The encrypted indicia further includes the imprint of 
the postage amount for the mailpiece at 414, the date 
at 416, the originating postal code at 418, and the se- 
quential piece count for the vault at 420. A bar code at 
422 is a machine readable representation of piece count 
420. A return address which also includes the originat- 
ing postal code is shown at 424. 

Reference is now made to FIGURE 5. A mailpiece 
502 of the type which may be created on the system 
shown in FIGURE 2 includes an encrypted indicia print- 
ed in the address block 504 viewable through a window 
in the mailing envelope. The mailpiece contains an im- 
printed portion of the fixed information relating to the en- 
crypted indicia imprinted on the envelope. This includes 
the vault identification at 506, the originating postal code 
or a portion thereof at 508 and an optional endorsement 
at 510 here, "First Class Mail". 

The portion of the indicia in the address block in- 
cludes the variable part of the information including the 
number "389" at 51 2 which includes, similar to FIGURE 
4, an error correcting code of "3\ a first encrypted digital 
token of "8" and a second encrypted digital token of "9". 
A sequential piece count is shown at 514 and the post- 
age amount at 51 6. The date of mailing is shown at 51 8. 
A bar code of both the piece count and the vault identi- 
fication are shown at 520. This information is visible 
through a window 522 in the mailing envelope. 

It should be expressly noted in connection with FIG- 
URE 4 and FIGURE 5 that great flexibility can be pro- 
vided in how the mailpiece itself is organized and how 
the encrypted indicia is organized depending upon the 
requirements of the carrier service. Many forms of im- 
plementation may be accomplished. 

It should also be expressly noted that the particular 
encrypted indicia shown in connection with FIGURES 4 
and FIGURES 5 do not include addressee information 
as part of the digital token encryption transformation. 
This is important because the inclusion of the addressee 
information into the digital token imprinted on the mail- 
piece to validate the mailpiece requires a synchroniza- 
tion between the mail insertion process and printing of 
the indicia. Thus, the address bearing document must 
precisely match the digital token imprinted on the mail- 
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piece. In accordance with the present embodiment of 
the invention, this is not required (although if desired 
could be implemented) because a high level of funds 
security is provided without this feature. Thus, a digital 
token can be imprinted on the mailpiece with all the in- 
formation necessary to validate the indicia is contained 
in the indicia itself and is independent of addressee in- 
formation. However, it should be also further noted that 
in the embodiment shown in FIGURE 2 and the associ- 
ated mailpiece shown in FIGURE 5, if desired, address- 
ee information can easily be included in the digital token 
since the delivery address imprinting and the digital to- 
kens imprinting are accomplished during the same print- 
ing process. 

Reference is now made to FIGURE 6. In creating a 
batch of mailpieces, for every mailpiece in the batch of 
mail, rating parameters are obtained at 602. These rat- 
ing parameters may come from either a measurement 
subsystem 604, manual key entry at 606, for example, 
for imprinting loose mail, and from the inserter control 
system at 608. The rating parameters are received in 
the vault at 610 where the postage due is computed at 
612. The digital token transformation is executed and 
accounting is implemented at 614 by the vault. The ac- 
counting information and digital token are stored at 616 
for utilization in the mail documentation file. The data for 
the indicia is formatted at 618 if desired for use as part 
of a error recovery process described hereinafter, the 
data for the mailpiece record may be digitally signed at 
620 and added to the mailpiece record at 622. This data 
is sent to the inserter controller (of FIGURE 1) at 624 
and at 626 the indicia is printed on the mailpiece. 

While a detailed flow chart of the operation of the 
system shown in FIGURE 2 is not included, the opera- 
tion of the system shown in FIGURE 2 is similar to that 
described above in connection with FIGURE 1 except 
to accommodate minor differences in the architectural 
arrangement of the components and indicia organiza- 
tion. 

Reference is now made to FIGURE 7. A printed mail 
documentation file is shown at 702. This file is submitted 
to the carrier service with the batch of mail and plays a 
critical role in the acceptance procedure. The file 702 
can be provided to the carrier service either as a printed 
document or electronically or on a storage medium. 

The mail documentation file includes the mail doc- 
umentation file serial number at 704, a mailer identifica- 
tion at 706, a vault identification at 708 and a mailer ac- 
count at 710, if desired. Each mailer may have several 
different accounts for use in different applications and 
each account may have several different vaults associ- 
ated with it. A piece count for the mail run is also pro- 
vided at 712. In the particular run documented by the 
mail documentation file 702 1 ,410 mailpieces were pro- 
duced for submission as the batch. Also provided as part 
of the mail documentation file is the date of submission 
at 714, the identification of the rating table employed at 
71 6. It should be noted that the rating table identification 



may be a truncated encrypted hash code of the rating 
table employed in a manner described in the above not- 
ed U.S. Patent Number 5,448,641 for POSTAL RATING 
SYSTEM WITH VERIFIABLE INTEGRITY. 

5 A digital signature of the entire mail documentation 
file is provided at 718 and an error control code at 720 
to facilitate error detection and correction when machine 
reading the mail documentation file. 

The mail documentation file further contains infor- 

10 mation for groups of mailpieces which are similar in 
weight, size, discount, and postage. For example, on 
line one at 722, 731 pieces with postage value of 32 
cents the full postage rate, of the standard size and with 
an actual weight of 5/1 0 of an ounce are listed. Similarly, 

15 in the following entries various groups of mailpieces 
having similar weight, size, discount and postage are 
listed. The various totals, such as the total weight of the 
mailpieces in the batch are provided at 724 along with 
the total postage at 726 and the total number of mail- 

20 pieces at 728. 

Because the mail documentation file 702 contains 
a digital signature at 718, the total weight for the mail 
run at 724 as well as the number of pieces at 728 and 
other data within the mail documentation file cannot be 

25 undetectably altered. This provides a method for verify- 
ing the integrity of the data in the mail documentation 
file 702. 

The process of creating the mail documentation file 
702 can be modified to create a tray documentation file 

30 and corresponding encrypted tray labels for trays and 
other containers that are usedformail packaging. In par- 
ticular, during a mail generation process information 
needed for mail packaging is frequently available to in- 
serter, for example, to inserter controller 104 shown in 

35 FIGURE 1 In this case, the inserter controller 1 04 com- 
municates the "end of tray" information to the vault 114. 
The vault 114 then generates a necessary tray docu- 
mentation data similar to the data in the mail documen- 
tation file, for example, the number of mail pieces of dif- 

40 ferent weight and postage denominations that are con- 
tained in the tray as well as the total weight of mailpieces 
in the tray. After that, the vault 1 1 4 computes the digital 
signature of tray documentation file by using the same 
secret key that is used for digital token computation. The 

45 digitally signed tray documentation file is printed in the 
form of a tray label such as the printer 118 shown in FIG- 
URE 1. 

Tray labels produced in such fashion are then 
scanned during acceptance and verification proce- 

50 dures, which may if desired, be made part of the proce- 
dure described in connection with FIGURE 10. For ex- 
ample, a hand held scanner may be employed. Such 
scanner may be operatively connected to the personal 
computer 1002 and the secure processor 1008 herein- 

55 after described in connection with FIGURE 10. This 
method allows for simplification of verification proce- 
dures in the case of large mailings containing many 
trays (or other suitable containers) and when the verifi- 
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cation based on the mail documentation tile relating to 
the entire mailing can be cumbersome. 

Relerence is now made to FIGURE 8. Since mailers 
from time to time desire refunds for spoiled mailpieces, 
a refund process and accounting procedure is desirably 5 
included in postage payment and evidencing systems. 
In the above described system, the spoiled mailpieces 
such as mailpieces destroyed by the insertion equip- 
ment can be simply reprinted by using the indicia data 
stored in the inserter controller memory and included as 
part of the mail run. Fraudulent "salting" of the mail run 
is detected by the process of weighing the mailpieces 
batch upon acceptance as it will be described hereinaf- 
ter and, when desired, statistical sampling. 

Another method for recovery of funds for spoiled 
mailpieces involves a system where the digital token 
may not be reprinted without being accounted for by the 
vault system. In systems of this type the indicia printer 
are securely coupled either by physical security or by 
encryption security to the accounting vault. With regard 
to such systems, reference is made to the mail error re- 
covery file shown in FIGURE B which may be used in a 
system wherein the indicias have been reprinted. 

Error recovery documentation file 802 includes in- 
formation concerning the specific mailpiece which has 
been reprinted. The reprinting process may occur more 
than once if a reprinted mailpiece, for example, is de- 
stroyed during the reprinting process. The present sys- 
tem allows for accounting for such further reprinting. As 
for example, a controller mailpiece record number 37 is 
shown at 804 and 806. This is for a mailpiece printed by 
a particular vault with a particular piece count, with a 
particular postage and a particular data shown generally 
at 808 in connection with record number 37. The mail 
error recovery documentation file 802 also includes, as 
noted in the mailpiece record obtained from the inserter 
controller, the address to which the mailpiece is being 
sent at 810 and 812. 

It should be noted that the above noted information 
is obtained by knowing the point at which the mail run 
stops and by checking the controller queue to resume 
operation of the inserter run from that queue point which 
thus provides the necessary addressee information. 
The mailpiece record signature is included at 814 and 
816. It should be noted that the mail record signature 
differs for each of the records because the issue times 
are different as can be seen for the second issue in the 
first line of entry and for the third issue in the second line 
of entry. A further example is provided for a mailpiece 
record number 121 at 818 where the indicia was issued 
twice. The entire mail error recovery documentation file 
is signed at 820 to allow authentication of the integrity 
of the data provided in the file. This makes modification 
of the mailer recovery documentation file 802 detecta- 
ble. 

Reference is now made to FIGURE 9 which repre- 
sents a flow chart for generation of the error recovery 
data file. A determination is made at 902 if there is an- 



other mailpiece in the run. If there are no further mail- 
pieces in the run an error record is signed at 904 and 
the signed error recovery documentation file is printed 
at 906. If, on the other hand, there are other mailpieces 
in the run an indicia is produced at 908. A determination 
is thereafter made at 910 if the mailpiece is spoiled. If 
not, the next mailpiece is processed at 912. 

If the mailpiece is spoiled, the mailpiece record is 
retrieved and the signature verified at 914. The reissue 
count for the spoiled mailpiece is incremented at 916 
and the reissue record in the error recovery documen- 
tation file is signed at 918. The mail documentation file 
is updated at 920 and the indicia with reissue count re- 
printed at 922. At this time, the process loops back to 
determine whether or not the reprinted mailpiece was 
spoiled again. 

Reference is now made to FIGURE 10, which 
shows a postal acceptance unit verification system. The 
system includes a personnel computer 1002 connected 
to a scale 1004, a scanner 1006 and a secure co-proc- 
essor 1008. The secure co-processor provides an en- 
cryption engine, similar to the vault system, used in the 
mail generation process by the mailer service. The en- 
cryption process is identical to the encryption process 
implemented by a vault in enabling a recomputation of 
the digital token based on the data provided in the indi- 
cia. In operation the mail documentation file can be en- 
tered into the personnel computer 1002. 

The personal computer may, if desired, verify the 
digital signature and the data on the mail documentation 
file 702 to ensure that the data has not been altered. As 
part of processing the digital signature, the same en- 
cryption engine may be used to both generate and verify 
the digital signature. In this manner, only a single en- 
cryption engine is required and the management of the 
encryption keys for both generating the encrypted indi- 
cia and digital signature for the various documentation 
files 702 and 802 is minimized. Thus, desirably, the 
same secret key can be utilized for both generating the 
encrypted digital tokens and the digital signature of doc- 
umentation files 701 and 802. As part of the verification 
process, when a mail batch is submitted to the carrier 
service, the total mail batch is weighed by scale 1004 
and the data is input to the PC 1002. This information is 
compared against the information contained in the mail 
documentation file 702 to determine consistency as will 
be hereinafter explained in detail. Moreover, the scan- 
ner 1006 can be used to scan sample portions of the 
mail pieces to verify the indicia as well as to verify the 
readability and deliverability of the address information 
and bar codes. Furthermore, the scale 1004 can also 
be used to sample weights of specific mailpieces. Alter- 
natively, rather than employ a scanner 1006, the mail 
documentation file 702 and the mail error recovery doc- 
umentation file 802 can be communicated via a commu- 
nication link 1010 directly into the personal computer 
1002. 

The carrier acceptance process is performed in two 
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steps. The first step Is directed at detecting and ultimate- 
ly preventing (through a strong deterrence effect) illegal 
copying of encrypted postal indicia. It is performed by 
first scanning the postal mail documentation file and ver- 
ifying the integrity of information and then comparing the 
actual measurable total weight of submitted batch of 
mail with a total weight indicated in the mail documen- 
tation file. Any significant discrepancy (e.g. a difference 
larger than a pre-defined threshold, for example, equal 
to two to three times the weighing accuracy of the scale) 
may indicate the presence of unpaid and unaccounted 
mailpieces in the mail run submitted for acceptance. The 
second phase of the verification process is directed at 
detecting counterfeit mailpieces by sampling various 
mailpieces in the batch of mail. Thus, both duplication 
and counterfeiting are detected by the mail acceptance 
process. 

Reference is now made to FIGURE 11. The mail 
documentation file is scanned at 1102 for digital signa- 
ture and for mail documentation file data. At 1104 the 
secret key by which the mail documentation file was 
signed is retrieved and the digital signature verified at 
1106. The digital signature scanned from 1102 and cal- 
culated from 1106 are compared at 1108. A determina- 
tion is made at 11 10 whether the signatures match. If no 
match is found, an investigation is initiated at 1112. 

If the signatures match, the mail batch is weighed 
at 1114. The total weight of the mail batch which is then 
compared against the weight reported on the mail doc- 
umentation file at 1 1 1 6. A determination is made at 11 1 8 
if the weights match. If the weights do not match an in- 
vestigation is initiated at 1120. If the weights do match, 
a further acceptance testing may be implemented at 
1122. 

Reference is now made to FIGURE 12. The mail 
error record recovery documentation file is scanned at 
1202 to collect data, error correction information and 
digital signature. The signature on the mail error recov- 
ery documentation file is verified at 1204. A determina- 
tion is made at 1 206 il the signature is verified. If not, an 
investigation is initiated at 1 208. If the signatures match, 
a sample of mail based on a standard statistical sam- 
pling strategy is obtained at 1210. The statistical sam- 
pling can be any known standard sampling techniques 
based on the size of the mail run and the number of mail- 
pieces involved and the perceived risk involved. Exam- 
ples of statistical sampling are disclosed in the text "Sta- 
tistical Methods" by Snedcor and Cochran, Sixth Edi- 
tion, 1 967, published by the Iowa State University Press. 

The verification process of the digital tokens can be 
done off-line and not necessarily in real time. Verification 
of digital tokens may be performed at any point during 
the mail processing and delivery to thereby further re- 
duce the likelihood of collusion. For example, the token 
verification can be implemented at the delivery point fa- 
cility as opposed to the point of batch mail submission. 

At 1212 the next sampled mailpiece indicia is 
scanned. The postal data and postal digital token are 



retrieved at 1 21 4. The reissue number is compared with 
the mail error documentation file at 1216. A determina- 
tion is made at 1218 whether the reissue numbers 
match. If the numbers do not match, an investigation is 
5 initiated at 1 208. If the numbers match, the digital token 
transformation is employed to calculate the postal digital 
token at 1220. The retrieved and calculated digital to- 
kens are compared at 1222. A determination is made at 
1224 if the tokens match. If the tokens do not match, an 
10 investigation is initiated at 1 208. If the tokens do match, 
a determination is made at 1226 if the mailpiece is the 
last piece in the sample. If not, the next mailpiece is at 
1228 is entered into the sampling process and the proc- 
ess continued at 1212. If on the other hand, the mail- 
15 piece is the last piece in the sample, an estimated weight 
distribution of the sample is calculated at 1230 and a 
comparison is made at 1232 between the estimated and 
actual weight distribution obtained from the mail docu- 
mentation file. The determination is then made at 1234 
20 rf the weight distributions match. If a match occurs the 
mail is accepted at 1236, and if a match does not occur, 
an investigation is commenced at 1208. 

It should be noted that the estimated weight distri- 
bution portion of the above described acceptance proe- 
ms ess is directed at detecting substitution of a high weight 
mailpieces by multiple lower weight mailpieces. Thus, 
for example, the sampling is directed to detection of the 
. substitution of two 1/2 ounce mailpieces (which each 
may require payment of 32 cents) for a single one ounce 
30 mailpiece which would also require a single payment of 
32 cents). 

It should be recognized that the above described 
system provides numerous benefits to both the mailer 
and to the carrier service. The mailer benefits from the 

55 utilization of intelligent or encrypted indicia. The indicia 
is printed on the envelope with a high speed commer- 
cially available printer. The indicia may be printed in the 
address block with display through a windowed enve- 
lope if desired. Moreover, the process is highly automat- 

40 ed and reduces human interaction in the creation of the 
mail batch. For example, the generation of the mail doc- 
umentation file or its equivalent is automatic and does 
not require further human intervention. The system 
avoids the use of multiple meters in high production mail 

45 processing environment since a single vault may be 
able to service multiple inserters and the vault may be 
refilled with postage or carrier funds through a computer 
meter resetting system. 

Additionally, the mailer benefits from the ability to 

50 easily implement variable rate mailings and avoids the 
need for inventory control, extensive documentation, re- 
makes, adjustments and associated fees, while having 
the benefit of effective funds control. Finally, the system 
provides the ability to reprint indicia for spoiled mailpiec- 

55 es and provides very significant labor savings which re- 
sult in improved mail production schedule and mail de- 
livery due to faster mail acceptance. 

The carrier service likewise obtains many benefits 
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from the present system. The carrier service enjoys a 
enhanced revenue protection since there is no incentive 
to steal vaults (meters) and collusions are easily detect- 
able. The system facilitates the detection of changing 
the denomination on the mailpiece to higher denomina- 
tion, and minimizes under estimated payment adjust- 
ments while avoiding "washed" stamps and adjustment 
errors. Because the system is highly automated it sim- 
plifies an investigation and provides a strong fraud de- 
terrence effect. The system also provides easy access 
to the evidence of fraud. 

Further advantage to the carrier service involve the 
computerized transfer of funds, labor savings due to 
streamlined and uniform acceptance procedure, faster 
mail processing due to reducing delays in acceptance 
and simplified administrative controls. The process de- 
scribed in the present invention naturally lends itself for 
cost effective generation of mailings and corresponding 
documentation in the case of mailings combined from 
mailpieces of different classes. For example, in the Unit- 
ed States of America mailings of first and third (adver- 
tising type) class mail can be combined. However, this 
requires a very substantial documentation which is cost- 
ly and prone to errors. 

While the present invention has been disclosed and 
described with reference to the disclosed embodiments 
thereof, it will be apparent, as noted above, that varia- 
tions and modifications may be made. For example, the 
mailer's computer, which contains mailing address lists, 
can perform address cleansing and send the address 
list to the inserter in a mail run data file. This file would 
contain control information for matching the control doc- 
uments with the corresponding envelopes. This can be 
done employing, as previously noted, digital tokens 
which utilize addressee information or do not utilize ad- 
dressee information. It is, thus, intended in the following 
claims to cover each variation and modification that falls 
within the true spirit and scope of the present invention. 

Claims 

1. A method for controlled acceptance mail payment 
and evidencing, comprising the steps of: 

creating a mail batch including a plurality of 
mailpieces each having an encrypted indicia 
printed thereon; 

creating a mail documentation file containing 
the total weight cf said mail batch, the total pay- 
ment for said mail batch and mailer identifica- 
tion, all of which are digitally signed to facilitate 
a subsequent verification of the integrity of the 
data, said digital signature included as part of 
said mail documentation file; 
submitting said mail batch and said mail docu- 
mentation file to a carrier distribution system; 
and, 



processing said mail batch and said mail doc- 
umentation file as part of the carrier distribution 
process to determine the total weight of said ac- 
tual mail batch and verify the weight of said ac- 
5 tual mail batch in comparison to the total weight 

of said mail batch as set forth in said mail doc- 
umentation file. 

2. A method as defined in CLAIM 1 including the fur- 
10 ther step of verifying the digital signature on said 

mail documentation file as part of said carrier distri- 
bution processing. 

3. A method as defined in CLAIM 1 or 2 including the 
75 further step of including the number of mailpieces 

in said mail batch having the same actual mailpiece 
weight within a predetermined weight range, said 
weight range being a smaller weight range than a 
carrier payment weight break range. 

20 

4. A method as defined in any preceding CLAIMS 
wherein said mail documentation file created by 
each mailer is serialized and said mail documenta- 
tion file serial number is included as part of said mail 

25 documentation file which is digitally signed to ena- 
ble subsequent verification of the integrity of the da- 
ta. 

5. A method as defined in any preceding CLAIMS in- 
30 eluding the further step as part of said carrier distri- 
bution process of sampling a portion of said mail 
batch to determine on a statistical basis if the mail- 
piece weight distribution corresponds to the mail- 
piece weights distribution contained in said mail 

35 documentation file. 

6. A method as defined in CLAI M 5 wherein said sam- 
pling process includes the further step of verifying 
authenticity of said encrypted indicia printed on said 

40 sampled mailpieces. 

7. A method as defined in any preceding CLAIMS in- 
cluding the further step of including in said encrypt- 
ed indicia printed on each mailpiece of the mail 

45 batch an indication that said mailpiece is part of a 
mail batch subject to controlled acceptance 
processing as part of a carrier distribution process. 

8. A method as defined in any preceding CLAIMS in- 
50 eluding the further step of creating a substitute mail- 
piece as part of said mail batch for an improperly 
prepared mailpiece and utilizing an encrypted indi- 
cia associated with said improperly prepared mail- 
piece to proved evidence of payment for said sub- 

55 stitute mailpiece. 

9. A method as defined in CLAIM 8 including creating 
a mail error recovery file containing data concerning 
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substitute mailpieces, the mail batch identification 
and said mailer identification, which are all digitally 
signed to enable subsequent verification of the in- 
tegrity of the data in said mail recovery file. 

5 

10. A method as defined in any preceding CLAIMS in- 
cluding a mail container for packaging a portion of 
said mail batch and the further steps of: 

creating at least one grouping of mailpieces 10 
from said mail batch to be packaged together 
in said mail container; and 
creating a mail container documentation file 
containing the total weight of said mail grouping 
and the number of mailpieces in said mail is 
grouping having the same actual mailpiece 
weight, all of which are digitally signed to facil- 
itate a subsequent verification of the integrity of 
the container documentation file data, said dig- 
ital signature included as part of said mail con- 20 
tainer documentation file. 

11. A method as defined in CLAIM 10 further including 
the step of generating a mail container documenta- 
tion file label for attachment to said mail container. 25 

1 2. A method as defined in CLAIM 11 wherein said label 
is a machine readable printed label. 

13. A method as defined in CLAIM 11 or 12 wherein said 30 
label stores said container documentation file data 

in electronically readable form. 

14. A method for mail payment and evidencing, com- 
prising the steps of: 35 

creating a plurality of mailpieces each having 
an encrypted indicia printed thereon, creating 
a substitute mail piece for an improperly pre- 
pared mailpiece; and, 40 
utilizing an encrypted indicia associated with 
said improperly prepared mailpiece to provide 
evidence of payment for said substitute mail- 
piece. 

45 

1 5. A method as defined in CLAIM 1 4 including creating 
a mail error recovery file containing data concerning 
substitute mailpieces. 

16. A system for mail payment and evidensing, com- so 
prising means for performing the steps of any pre- 
ceding claims. 
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